The Cryptography Chronicles
Download
Report
Transcript The Cryptography Chronicles
Something You Know
• Credentials: PIN, Password
• Significance: Shared, Compromised , Forgotten
Something You Have
• Credentials: Key, ID Card, Token
• Significance: Lost, Stolen or Forgotten
Somewhere You Are
• Credentials: GPS, Phone
Significance: Confirms credentials by location
Something You are or Do!
• Credentials: Biometrics
• Significance: Unique identifier but not secret
NSA
Suite A
NSA
Suite B
NSA
Suite C
Advanced Encryption Standard (AES)
Elliptic Curve Digital Signature
Algorithm (ECDSA) Digital Signatures
Elliptic Curve Diffie–Hellman (ECDH)
Key Agreement
Secure Hash Algorithm 2 (SHA-256
and SHA-384) Message Digest
Keesee/Crayon / Walburn
GoodSpeed
Accordion
Firefly /Enhanced Firefly
JOSEKI-1 Decrypt - A Way to
Encrypt/Decrypt Computer Software
Baton / Medley
Shillelagh
Saville / Padston
•
•
•
•
BitLocker
True Crypt
Encrypting File System
Physical Hardware based
Solutions
• Hashing
Data at Rest
Cryptography
•
•
•
•
•
•
•
EAP/ TLS
PGP, SSL, SSTP, IPSec
Bitlocker to Go
Secure Email
Rights Management
RMS
PKI
Data in Transit
•RSA Token
•Digital Certificates
•Multi Factor Authentication
•DNSsec
•Kerberos
Secure
Authentication
HTTP SMTP POP3
HTTPS SSMTP SPOP3
80
443
25
110
465
995
Secure Sockets Layer SSL / TLS
Transport Layer
Network Layer
Link Layer
SSL
SSL
Handshake
Change Cipher
Protocol
Spec Protocol
SSL
Alert Protocol
SSL Record Protocol
TCP
IP
HTTP
Private Key Created for Server
Private Key Created in Client Browser (E.g. IE10)
Host
(1) Handshake & Agree on Method of
Encryption
Server
Key
Cipher
Hash
Key
Cipher
Hash
RSA
RC4
HMAC-MDS
RSA
RC4
HMAC-MDS
Diffe Hellman
3-DES
– SHA2
Diffe Hellman
3-DES
HMAC – SHA2
DSA
AES 128
DSA
AES 128
Hello
Version
3.3
Version
3.3
Random
Number
29873456234234…
Random
Number
29873456234234…
(2) Server Sends a Certificate
To Confirm Identity
Host
Server
(3) Your Computer Says “Start Encrypting”
Host
Server
Both Computers Calculate a master Secret Code
Your Computer Now Asks the Server to Encrypt!
Ok Let’s Start Now
I’m Going to Send Encrypted Messages
Let’s Go!
(4) Server Starts Encrypting
Host
Server
Marcus
the Evil
Hacker
(5) All Content is Now Encrypted
Host
Server
Click Me
Authentication
Confidentiality
Key
Management
Application Layer
Application Layer
HTTPS SSMTP SPOP3
HTTP SMTP POP3
80
25
443
110
465
995
Secure Sockets Layer SSL / TLS
Transport Layer TCP – UDP - ICMP
Network Layer
IPSec
Link Layer
IPsec can Provide Security Between any Pair of Network-Layer
Entities (E.g, Between Two Hosts, Two Routers, or a Host and a Router).
Local Area
Network
Internet
Direct Access
UAG Server
Direct Access / VPN Client
Local or AD
Group Policy
Network
Application
+ Local IPSec Agent
Client
IPSec Policy
Module
IPSec Driver
TCP/IP Protocol
Driver
Security
Association
Database
IKE (ISAKMP)
Server
ISAKMP = Internet Security Association and Key Management Protocol
5 If no SA exists, the driver
contacts IKE Service.
2 If Policy exists, IPSec
Policy Agent monitors all
communication to the
TCP/IP protocol from all
applications.
6 IKE Negotiates Mutual
authentication and establishes
a shared secret that conform
to the security policy. IKE uses
ISAKMP for this task
Head Office DC / GPO / KDC
3 IPSec Policy Agent
communicates with the IPSec
driver & informs the IPSec
Driver of the type of
protection required.
Branch Office Server
7 IKE Finally provides the SA
to the IPSec driver, which then
protects the network traffic
Negotiation
1 Client Checks for IPSec
Policy (Start-up – GPO)
Domain Client
4 Driver then determines whether
an Security Association exists that
can be used to protect the traffic
8 Then the Driver returns the
Protected traffic to the TCP/IP
protocol for continued processing
ISAKMP = Internet Security Association and Key Management Protocol
Most common and
most important
Click Me
Message Digest
Algorithm
Message
Sender
Receiver
Welcome to
Amsterdam
for Microsoft
TechEd 2012
Message
Welcome to
Amsterdam
for Microsoft
TechEd 2012
Senders
Private Key
Senders
Public Key
<*t867GlLK
+*^g+£%f3
87Gk(t%<|_
Message Digest
Algorithm
Message
Transmitted
Correctly
Yes
Equal
No
<*t867GlLK
+*^g+£%f3
87Gk(t%<|_
Message Digest
Encryption
Algorithm
^&$&()I_JJUI
^^(PIOPO+_
*(%$ӣ%O)
Encryption
Algorithm
Encrypted Message Digest
(*^tgh)+<*$
”_KJL<>>K!*
*&%++JGH
Message Digest
Error
Message
Has Been
Modified
Root CA
Intermediate CA
Subordinate CA
User & Computer Certificates
Intermediate CA
Subordinate CA
User & Computer Certificates
Security Group
Policy Applied
Group Policy distribution
Certificate Publication,
Notification mapping to User
Accounts, Computers etc.
Domain Admin
Certificate services
KDC / Domain Controller
Active Directory
Domain Logon Process
Smartcard Logon Process
Domain User
Domain Client
Hardware Based
Solutions
Software Based
Solutions
• Proprietary,
• Expensive
• Fast
• Difficult to Manage
• Lower cost
• Does not require specific
hardware
File Based Solutions
• Done on a file-by-file basis
(only protects file)
• Not automatic
• Dependent on end-user
• WinZip, EFS, Etc
Disk / Full Volume
Based Solutions
• Encrypts entire drive (most
secure)
• Automatic; transparent to
the user
• But … if you lock yourself
out, you’re in trouble
• Need administrative
control
Plain Text 512 – 8192 Bytes
Key 512 Bits
Derive Sector Key
A - Diffuser
B - Diffuser
AES CBC
CipherText
Drive Type
Unlock Methods
Recovery
Methods
Operating System
Drives
TPM
Recovery
password
Other Hard Drive
Portable Drives
(Bitlocker to Go)
TPM+PIN
TPM+Startup key
TPM+PIN+
Startup Key
Startup key
Certificate
(for Fixed Drives and
Removable Drives)
Recovery Key
Active Directory
backup of
recovery password
Data Recovery
Agent (DRA)
Memory Analysis – Bitlocker Driver is Working
on Disk Layer – FVEVOL.SYS Encrypts on the Fly
Low Impact on Performance Typically < 5%
Management
Other requirements
Robust and
consistent Group
Policy enforcement
Supports Windows 7
And Windows 8
Minimum Pin
Length
Drive preparation fully
integrated in BitLocker setup.
System partition size:
200MB without WinRE
400MB with WinRE
System partition letterless
Uses NTFS file system
+
Pre Key
=
Key
Random Data
011001101010001
ATGCTCGAAGCT
Source: http://qubit.nist.gov/Images/OptLat.jpg
http://europe.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
http://europe.msteched.com/sessions
www.securitysummit.com.cy